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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

• Extensions of time nrtay be available under the provisions of 37 CFR 1 .136(a). fn no event, however, may a reply be tinnely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period w/ill apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)S Responsive to communication(s) filed on 08 February 2002 , 
2a)n This action is FINAL. 2b)l3 This action is non-final. 

3) D Since this application is in condition for allowance except for fonnal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parfe Quay/e, 1935 CD. 11, 453 O.G. 213. 
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4) 13 Claim(s) 1-69 is/are pending in the application. 
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5) 0 Claim(s) is/are allowed. 

6) |SI Claim(s) 1-17.21, 23'26.28.30'35.38 and 40-69 is/are rejected. 

7) |EI Claim(s) 18-20.22.27.29.36.37 and 39 is/are objected to. 

8) 0 Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

10) 0 The drawing(s) filed on is/are: 8)0 accepted or b)n objected to by the Examiner, 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
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DETAILED ACTION 



1. 



Claims 1-69 are pending. 



Claim Rejections - 35 USC §112 



2. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

3. Claim 9 recites the limitation "the packet flows". There is insufficient antecedent 
basis for this limitation in the claim. 

4. Claim 17 recites the limitation "the traffic signature". There is insufficient 
antecedent basis for this limitation in the claim. 

Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claims 1-7, 12-17, 21, 23-25, 30-31, 33-35, 38, 40, 43-45, 49-50, 52-55, 58, 60 
and 63-69 are rejected under 35 U.S.C. 103(a) as being unpatentable over Gleichauf et 
al. (6,499,107) in view of Nikander et al. (6,253,321). 

a) As to claims 1 and 24, Gleichauf discloses a method and system for 



adaptive network security using intelligent packet analysis comprising reassembling a 
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plurality of TCP packets in the network traffic into a TCP stream, Gleichauf implicitly 
discloses this limitation (i.e. TCP stream reassembly) on col. 6, lines 39-40, to make it 
even clearer, the examiner takes official notice that use of reassembling TCP packets 
into a TCP stream is quite well known in data communications network. Data traveling 
over an IP network is always broken up into packets, the IP protocol adds information to 
each packet so that the routers along the network know where the data came and 
where it is going, the packets may be received out of order, or not, and are reassembled 
in the proper order at the destination computer; inspecting the TCP stream to detect 
information indicative of security breaches (col. 3, lines 1-4). 

Gleichauf does not disclose dropping a TCP packet from the TCP stream if the 
TCP stream contains information indicative of security breaches and forwarding a TCP 
packet to a network destination if the TCP stream does not contain information 
indicative of security breaches. 

Nikander discloses dropping a TCP packet from the TCP stream if the TCP 
stream contains information indicative of security breaches and forwarding a TCP 
packet to a network destination if the TCP stream does not contain information 
indicative of security breaches (col. 4, lines 41-45). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ the use of dropping a TCP packet from the TCP stream if the TCP 
stream contains information indicative of security breaches and forwarding a TCP 
packet to a network destination if the TCP stream does not contain information 
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indicative of security breaches in the system of Gleichauf, as Nikander teaches so as to 
effectively manage communications data. 

b) As to claims 2, 12 and 15, Gleichauf discloses inspecting the TCP stream 
to detect information indicative of security breaches comprising inspecting the TCP 
stream for protocol irregularities (col. 6, lines 36-42). 

c) As to claims 3, 13, and 16-17, Gleichauf discloses inspecting the TCP to 
detect information indicative of security breaches comprising searching the TCP stream 
for attack signatures (coL 1, lines 29-31). 

d) As to claims 4, 31 , 35, 50, 54, 66 and 69, Gleichauf discloses searching 
the TCP stream for attack signatures comprises using stateful signature detection (col. 
6, lines 45-52). 

e) As to claims 5, 14, 33, 52 and 67, Gleichauf discloses inspecting the TCP 
stream to detect information indicative of security breaches using a plurality of network 
intrusion detection methods (col. 6, lines 66-67). 

f) As to claims 6, 30, 34, 49, 53, 65 and 68, Gleichauf discloses the plurality 
of network intrusion detection methods comprises at least protocol anomaly detection 
(coL 6, lines 36-42). 

g) As to claim 7, Gleichauf discloses the plurality of network intrusion 
detection methods comprises at least signature detection (col. 6, lines 43-45). 

h) As to claims 21 and 38, Gleichauf discloses searching the TCP stream for 
attack signatures comprises querying the signatures database to determine whether 
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there are matching signatures in the TCP stream (col. 6, lines 45-52; col. 5, lines 36- 
42). 

i) As to claims 23, 25, 45 and 58, Gleichauf discloses reconstructing the 
plurality of TCP packets from a plurality of packet fragments (col. 6, lines 39-40). 

j) As to claims 40, 55, 60 and 63-64, Gleichauf discloses a routine for 
collecting a plurality of security logs and alarms recording information about security 
breaches found in the TCP stream (col. 7, lines 1-5); a routine for storing a network 
security policy identifying the network traffic to inspect and a plurality of network attacks 
to be detected and prevented (col. 5, lines 33^2); a routine for distributing the network 
security policy to one or more gateway points in the network (Fig. 2, element 20) and a 
routine for updating the protocol database and the signatures database (col. 9, lines 7- 
13). 

k) As to claim 43, Gleichauf discloses the network Intrusion detection and 
prevention sensor is placed inside a firewall (col. 4, lines 47-49). 

I) As to claim 44, Gleichauf discloses the network intrusion detection and 
prevention sensor is placed outside a firewall (col. 5, lines 24-27). 

7. Claims 8-1 1 , 26, 28, 32, 41 , 47-48, 51 , 56 and 61 -62 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Gleichauf et al. (6,499,107) in view of 
Nikander et al. (6,253,321 ) and further in view of Copeland, III (2003/0105976). 

a) As to claims 8, 26 and 47, Gleichauf and Nikander do not disclose 
grouping the plurality of TCP packets into packet flows and sessions. 
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Copeland discloses a flow-based intrusion detection system for detecting 
intrusions in computer communication networks comprising grouping the plurality of 
TCP packets into packet flows and sessions (Fig. 1 , elements "FLOW F1-FL0W F4"; 
page 5, paragraph [0058]; Fig. 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ the use of grouping the plurality of TCP packets into packet flows 
and sessions in the system of Gleichauf and Nikander, as Copeland teaches so as to 
effectively determine if the traffic data appears to be legitimate or possible suspicious 
activity. 

b) As to claims 9, 28 and 48, Copeland discloses storing the packet flows in 
packet flow descriptors (page 5, paragraph [0059-0061]). 

c) As to claims 10-11, Copeland discloses searching the packet flow 
descriptors for traffic signatures and inspecting the TCP stream comprises searching for 
a network attack identifier in the TCP stream based on the packet flow descriptors and 
sessions associated with the TCP stream (page 6, paragraph [0070]). 

d) As to claims 32 and 51 , Copeland discloses a traffic signature detection 
software module for searching the packet flow descriptors for traffic signatures (page 4, 
paragraphs [0047-0051]). 

e) As to claims 41 , 56, and 61-62, Copeland discloses the system further 
comprising a graphical user interface comprising a routine for displaying network 
security information to network security administrators; and a routine for specifying a 
network security policy (page 11, paragraph [0182]). 
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8. Claims 42, 46, 57 and 59 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Gleichauf et aL (6,499,107) in view of Nikander et al. (6,253,321) and 
further in view of Trcka et al. (6,453,345). 

a) As to claims 42 and 57, Gleichauf discloses a method and system 
for adaptive network security using intelligent packet analysis comprising reassembling 
a plurality of TCP packets in the network traffic into a TCP stream, Gleichauf implicitly 
discloses this limitation (i.e. TCP stream reassembly) on col. 6, lines 39-40, to make it 
even clearer, the examiner takes official notice that use of reassembling TCP packets 
into a TCP stream is quite well known in data communications network. Data traveling 
over an IP network is always broken up into packets, the IP protocol adds information to 
each packet so that the routers along the network know where the data came and 
where it is going, the packets may be received out of order, or not, and are reassembled 
in the proper order at the destination computer; inspecting the TCP stream to detect 
information indicative of security breaches (col. 3, lines 1-4). 

Gleichauf does not disclose dropping a TCP packet from the TCP stream if the 
TCP stream contains information indicative of security breaches and forwarding a TCP 
packet to a network destination if the TCP stream does not contain information 
indicative of security breaches. 

Nikander discloses dropping a TCP packet from the TCP stream if the TCP 
stream contains information indicative of security breaches and forwarding a TCP 
packet to a network destination if the TCP stream does not contain information 
indicative of security breaches (col. 4, lines 41-45). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ the use of dropping a TCP packet from the TCP stream if the TCP 
stream contains information indicative of security breaches and forwarding a TCP 
packet to a network destination if the TCP stream does not contain information 
indicative of security breaches in the system of Gleichauf, as Nikander teaches so as to 
effectively manage communications data. 

Gleichauf and Nikander do not disclose a central management server and a 
graphical user interface. 

Trcka discloses a network security and surveillance system comprising a central 
management center (col. 15, lines 13-21; Fig. 8, element 64) to control the network 
intrusion detection and prevention sensor and a graphical user interface for configuring 
the network intrusion detection and prevention sensor (col. 13, lines 50-65). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to employ to use of having a central management server to control the 
network intrusion detection and prevention sensor and a graphical user interface for 
configuring the network intrusion detection and prevention sensor (col. 13, lines 50-65) 
in the system of Gleichauf and Nikander as Trcka teaches so as to detect and protect 
against security breaches, network failures and other types of data compromising 
events (col. 1, lines 10-15). 

b) As to claims 46 and 59, Nikander discloses dropping a TCP packet from 
the TCP stream if the TCP stream contains information indicative of security breaches 
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and forwarding a TCP packet to a network destination if the TCP stream does not 
contain information indicative of security breaches (col. 4, lines 41-45). 



9. Claims 18-20, 22, 27, 29, 36-37 and 39 are objected to as being dependent upon 
a rejected base claim, but would be allowable if rewritten in independent form including 
all of the limitations of the base claim and any intervening claims. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Minh Dieu Nguyen whose telephone number is 571-272- 
3873. The examiner can normally be reached on M-F 6:00-2:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is 571-272- 
2100. 
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